← Legal

Legal

Privacy Policy

Last updated: draft, not yet published

Draft, pending legal review

This is a working draft prepared for review by a qualified lawyer before publication. Text shown like [THIS] is a placeholder that must be completed, and [Review: like this] flags a point to confirm. Nothing here is binding until reviewed and published.

Overview

Ironcall is a local-first API client. Your data stays on your machine by default. This policy explains what information Ironcall collects, how it is used, and what choices you have.

Local storage

All data (collections, environments, request history, and UI state) is stored in a local SQLite database on your machine. Nothing is transmitted to any server unless you explicitly enable telemetry, submit a bug report, or turn on cloud sync.

Telemetry

Telemetry is opt-in. On first launch, Ironcall asks whether you want to enable anonymous usage statistics. If you agree, the following is sent on startup:

  • App version
  • OS name and version
  • A SHA-256 hash of your primary MAC address, used to count unique installs (not reversible to the original address)

No request data, URLs, headers, body content, or credentials are ever collected. You can change your choice at any time in Settings → Privacy. Telemetry is retained for [RETENTION PERIOD].

Bug reports

Bug reports are opt-in and triggered by you. When you submit a report via the in-app button, the following is collected in addition to your description:

  • Same fields as telemetry (version, OS, hashed MAC)
  • Hardware info (CPU, RAM, GPU)
  • Application logs

No request data or credentials are included. You can review what will be sent before submitting.

Secret variables

Variables you mark as secret are stored only in the local database on your device. Their values are never included in cloud sync, telemetry, bug reports, or exports (the key is preserved, the value left empty). A secret set on another device or by another member is never shared with you. [Review: confirm encryption at rest for local secrets. The docs state AES-256-GCM with a machine-derived key; an earlier version of this policy stated plain text. State only what is accurate in the shipped build.]

Accounts and cloud sync

Cloud sync and team features require an account and are optional. If you create an account, we store your email address, a hashed password, and your organization membership on EU-based servers. If you enable cloud sync, your workspace content is replicated to EU-based servers only and is end-to-end encrypted: the server stores ciphertext and never sees plaintext content. Ironcall never stores data outside the European Union. See Data & Compliance for retention and your rights.

Payments

Paid Pro subscriptions are processed by [PAYMENT PROCESSOR]. We do not store or process your card details ourselves; they are handled by the processor under its own privacy policy.

Website

This website (ironcall.dev) does not use cookies, tracking pixels, or third-party analytics. No personal data is collected when you browse the site. The feedback form stores your message on our EU-hosted server; your email address is optional and used only to respond to your message.

Your rights

Under the GDPR you have the right to access, rectify, erase, and port any personal data we hold, and to object to or restrict processing. Since Ironcall stores data locally on your machine, most data is already under your direct control. For data related to your account, cloud sync, or bug reports, contact contact@ironcall.dev and we will respond within 30 days.